DORA – the new kid on the block?

The EU’s new regulation on resilience imposes massive requirements for ICT providers to beef up their cyber risk management!

THE CONTEXT: Given various crisis in the recent past, including shut down of the single market for the EU during COVID-19 pandemic, the EU council aimed for setting new responsiveness standards to cope with crises. Back in Nov 2021, the EU Council adopted a set of conclusions on resilience and crisis response “to improve resilience, preparedness and response” that was created as Integrated Political Crisis Response (IPCR) back in 2013. With the experience from COVID-19 economic collateral damages, e.g. distortions on key EU supply chains and economic sectors, such as pharmaceuticals, medical devices and semiconductors, a more “comprehensive response to crises” is obviously required.

With the emergence of digital means in finance, the EU pulled together a digital finance package back in Sept. 2020, including a digital finance strategy, markets in crypto-assets (MiCA), digital operational resilience act (DORA) and distributed ledger technology (DLT, aka Blockchain). The intent was twofold: 1) current legal framework shall not pose obstacles upon new digital financial instruments, and 2) ensure that those new instruments are captured by the financial regulation and operational risk management requirements for every business activity within the EU.

The Digital Operational Resilience Act (DORA) is in force since 16th January 2023. The intent is to protect EU’s financial sector from essential operational disruptions. The focus is (as the name suggests) on enabling resilient operations, e.g. in a critical event such as a cyber-attack, imposing massive distortion.
This comes with a significant burden to everybody in the financial services value chain. Whereas it is not new that financial institutions such as banks, insurance companies, brokers and rating agencies are directly affected by the supervision of the EU financial services authorities, with DORA this will be prolonged to information and communication (ICT) services providers as well! E.g., cloud providers, managed services providers, software vendors, system integrators, penetration testing service providers, (non-bank) application payment providers and the like are affected by the new regulation, as soon as they are operating in EU: They will be under the supervision of the EU financial services authorities as well.

This is really seriously, in particular for the non-core financial ICT service providers:

The transition phase is set for two years until January 2025, requiring full compliance, otherwise heavy monetary fines may be the consequence.

Although not all regulatory requirements such as technical regulations are published yet, it is obvious that in particular ICT service providers are better off if they consider some key questions NOW

  1. How far are we affected by DORA give our position as a key (critical?) player in the financial value chain?
  2. Perform a gap analysis and identify critical areas in the risk management approach (starting from strategy, via policies, procedures down to measurement and evident transparency, monitoring, controls and corrective measures)
  3. Think about your suppliers and their resilience level as well.

From our recent resilience study, we know that a lot of improvement area exists (the report is available on request) and – in particular – that there is a significant mismatch between (too optimistic) self-perception and real resilience performance.

Contact us for a complementary fact finding: